Sunday, August 04, 2002

Last week a reporter for the NY Times called to discuss a posting of mine to Dave Farber's Interesting People list. The subject was the rather incredible story of a Princeton director of admissions testing to see if some of the students who'd applied at his school had been admitted by Yale.

Here's the beginning of the piece:

SURVEILLANCE 101
Privacy vs. Security on CampusBy JOHN SCHWARTZ

WHEN the news broke a week ago that a Princeton admissions officer had used the Social Security numbers of applicants to his school to view Yale University's Web site for admissions, privacy advocates were aghast not only at his act, but also at the Yale site's lack of security.

In one online forum, Richard Wiggins, an author and information technology specialist at Michigan State University, noted that most businesses with online customer accounts have learned that Social Security numbers alone offer poor security, and issue personal identification numbers as well.

Last week a story broke about the Admissions office at Princeton breaking into the database that shows prospective Yale students
whether they were admitted or not. This was trivial because the Yale signon only required the applicant's Social Security Number and date of birth for authentication. Since Princeton required the same information, they could check on any applicant they surmised had applied both places.

The Princeton director claimed that he did this only to check out security on the Yale site. But a Washington Post article says that the same applicant was checked on multiple times, and that it appears that President Bush's niece as well as the grandson of Notre Dame coach Ara Parseghian were checked.

Of course this story makes Princeton look bad, though they are coming down hard, having placed the director on leave and issued a strong statement. But it also makes everyone look bad:

-- Yale's database used weak authentication. They should've assigned an ID/PW or a random PIN to each new applicant. Web merchants have had the protocol right for years now. They opened themselves up to this sort of attack -- and not only from other universities, but any
unscrupulous staff member at a credit card provider, bank, hospital, etc.

-- Yale's database notified students of admission in a rather childish way, it seems. The first time you logged in, if you were admitted, you saw fireworks. If you logged in again later, you didn't see the fireworks. Thus if Princeton looked you up you didn't get the happy treatment.

Yale has turned this over to the FBI. Whether or not there's a prosecution, the important point here is not what Princeton did to Yale, but rather what Princeton did to the privacy of prospective students. The Admissions staff could've used the same information to change an applicant's address and apply for a credit card -- "to test security".